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1 Introduction 

Now the theory of quasigroups apphcations in cryptology goes through the 
period of rapid enough growth. Therefore any review of results in the given 
area of researches quite quickly becomes outdated. Here we give a re- written 
and supplemented form of more early versions |11H 1112] of such kind of 
reviews. See also [55 1I123J . 

Almost all results obtained in the domain of quasigroups application 
in cryptology and coding theory till the end of eighties years of the XX- 
th century are described in [251 [26} I28| . In the present survey the main 
attention is devoted to the later articles in this direction. 

It is possible to find basic facts on quasigroup theory in [6l |8l 11021 [83l 
llllj . Information on basic fact in cryptology can be found in many books, 
see, for example, [3l [T3l [95| [96] . 

Cryptology is a science that consists of two parts: cryptography and 
cryptanalysis. Cryptography is a science on methods of transformation (ci- 
phering) of information with the purpose of this information protection from 
an unlawful user. Cryptanalysis is a science on methods and ways of break- 
ing down the ciphers j37] . 

In some sense cryptography is a "defense", i.e. this is a science on 
construction of new ciphers, but cryptanalysis is an "attack", i.e. this is a 
science and some kind of "art", a set of methods on breaking the ciphers. 
This situation is similar to situation with intelligence and contr-intelligence. 

These two objects (cryptography and cryptanalysis) are very close and 
there does not exist a good cryptographer that does not know methods of 
cryptanalysis. 

It is clear, that cryptology depends on level of development of society, 
of science and level of technology development. 

We recall, a cipher is a way (a method, an algorithm) of information 
transformation with the purpose of its defense. A key is some hidden part 
(usually, a little one) or parameter of a cipher. 

Steganography is a set of means and methods of hiding the fact of sending 
(or passing) the information, for example, a communication or a letter. Now 
there exist methods of hiddenness of the fact of information sending by usual 
post, by e-mail and so on. 

In this survey as Coding Theory (Code Theory) will be meant a science 
on defense of information from accidental errors caused by transformation 
and sending (passing) this information. 

When sending the important and confidential information, as it seems 
to us, there exists a sense to use methods of Code Theory, Cryptology, and 



Steganography all together [80] . 

In cryptology one often uses the following Kerkhoff 's (1835 - 1903) rule: 
an opponent (an unlawful user) knows all ciphering procedure (sometimes a 
part of plaintext or ciphertext) with exception of key. 

Many authors of books, devoted to cryptology divide this science (some- 
times not paying attention to this fact) in two parts: before article of Difhe 
and Hellman [30] (so-called cryptology with non-public (symmetric) key) 
and after this work (a cryptology with public or non-symmetric key). Prac- 
tically namely Diffie and Hellman article opened new era in cryptology. 
Moreover, it is possible to apply these new approaches in practice. 

Especially fast development of the second part of cryptology is connected 
with very fast development of Personal Computers and Nets of Personal 
Computers, other electronic technical devices in the end of XX-th century. 
Many new mathematical, cryptographical problems appeared in this direc- 
tion and some of them are not solved. Solving of these problems have big 
importance for practice. 

Almost all known construction of error detecting and error correcting 
codes, cryptographic algorithms and enciphering systems have made use of 
associative algebraic structures such as groups and fields, see, for example, 

[HllEI]. 

There exists a possibility to use such non-associative structures as quasi- 
groups and neo-fields in almost all branches of coding theory, and especially 
in cryptology. 

Often the codes and ciphers based on non-associative systems show bet- 
ter possibilities than known codes and ciphers based on associative systems 

[MIES]. 

Notice that in the last years the quantum code theory and quantum 
cryptology [1141 W7\ 11241 E] have been developed intensively. Quantum 
cryptology also use theoretical achievements of " usual" cryptology [l2j . 

Efficacy of applications of quasigroups in cryptology is based on the 
fact that quasigroups are "generalized permutations" of some kind and the 
number of quasigroups of order n is larger than nl ■ (n — 1)! • ... • 2! • l! [25] . 

It is worth noting that several of the early professional cryptographers, 
in particular, A. A. Albert, A. Drisko, M.M. Glukhov, J.B. Rosser, E. 
Schonhardt, C.I. Mendelson, R. Schaufler were connected with the develop- 
ment of Quasigroup Theory. The main known "applicants" of quasigroups 
in cryptology were (and are) J. Denes and A.D. Keedwell [22l[25l|26, 28, 23j. 

Of course, one of the most effective cipher methods is to use unknown, 
non-standard or very rare language. Probably the best enciphering method 
was (and is) to have a good agent. 



2 Quasigroups in "classical" cryptology 

There exist two main elementary methods when ciphering the information. 

(i). Symbols in a plaintext (or in its piece (its bit)) are permuted by 
some law. The first known cipher of such kind is cipher "Scital" (Sparta, 
2500 years ago). 

(ii) . All symbols in a fixed alphabet are changed by a law on other letters 
of this alphabet. One of the first ciphers of such kind was Cezar's cipher 
(x — 7> X + 3 for any letter of Latin alphabet, for example a —^ d,b ^^ e and 
so on). 

In many contemporary ciphers (DES, Russian COST, Blowfish [951131]) 
the methods (i) and (ii) are used with some modifications. 

Trithemius cipher makes use of 26 x 26 square array containing 26 letters 
of alphabet (assuming that the language is English) arranged in a Latin 
square. Different rows of this square array are used for enciphering various 
letters of the plaintext in a manner prescribed by the keyword or key-phrase 
[3l[65]. Since a Latin square is the multiplication table of a quasigroup, this 
may be regarded as the earliest use of a non-associative algebraic structure 
in cryptology. There exists a possibility to develop this direction using 
quasigroup approach, in particular, using orthogonal systems of binary or 
n-ary quasigroups. 

R. Schaufier in his Ph.D. dissertation discussed the minimum amount 
of plaintext and corresponding ciphertext which would be required to break 
the Vigenere cipher (a modification of Trithemius cipher) |106j . That is, he 
considered the minimum member of entries of particular Latin square which 
would determine the square completely. 

Recently this problem has re-arisen as the problem of determining of 
so-called critical sets in Latin squares, see [671 ESI [331 [361 ESI [69] . See, also, 
articles, devoted to Latin trades, for example, |5]. 

More recent enciphering systems which may be regarded as extension 
of Vigenere's idea are mechanical machines such as Jefferson's wheel and 
the M-209 Converter (used by U.S. Army until the early 1950's) and the 
electronically produced stream ciphers of the present day [771 ES] . 

During the second World War R.Shauffler while working for the German 
Cryptography service, developed a method of error detection based on the 
use of generalized identities (as they were later called by V.D. Belousov) in 
which the check digits are calculated by means of an associative system of 
quasigroups (see also [H]). He pointed out that the resulting message would 
be more difficult to decode by unauthorized receiver than in the case when 
a single associative operation is used for calculation |107] . 



Therefore it is possible to assume that information on systems of quasi- 
groups with generalized identities (see, for example, works of Yu. Movsisyan 
[97j may be applied in cryptography of the present day. 



Definition 2.1. A bijective mapping ip : g ^^ ^{g) of a finite group (G, ■) 
onto itself is called an orthomorphism if the mapping 6 : g ^^ 6{g) where 
^{9) — 9~^^{9) ^■s again a bijective mapping of G onto itself. The ortho- 
morphism is said to be in canonical form if ip{l) = 1 where 1 is the identity 
element of {G, •). 

A direct application of orthomorphisms to cryptography is described in 
[921 E]. 



3 Quasigroup-based stream ciphers 

"Stream ciphers are an important class of encryption algorithms. They 
encrypt individual characters (usually binary digits) of a plaintext message 
one at a time, using an encryption transformation which varies with time. 

By contrast, block ciphers tend to simultaneously encrypt groups of 
characters of a plaintext message using a fixed encryption transformation. 
Stream ciphers are generally faster than block ciphers in hardware, and have 
less complex hardware circuitry. 

They are also more appropriate, and in some cases mandatory (e.g., in 
some telecommunications applications), when buffering is limited or when 
characters must be individually processed as they are received. Because they 
have limited or no error propagation, stream ciphers may also be advanta- 
geous in situations where transmission errors are highly probable" |90j . 

Often for ciphering a block (a letter) Bi of a plaintext the previous 
ciphered block Cj_i is used. Notice that Horst Feistel was one of the first 
who proposed such method of encryption (Feistel net) [5T| . 

In [77] (see also |78l I79j ) C. Koscielny has shown how quasigroups/neo- 
fields-based stream ciphers may be produced which are both more efficient 
and more secure than those based on groups/fields. 

In |100| [87] it is proposed to use quasigroups for secure encoding. 

A quasigroup {Q, •) and its (23)-parastrophe (Q,\) satisfy the following 
identities x\{x ■ y) = y, x ■ {x\y) = y. The authors propose to use this 
property of the quasigroups to construct a stream cipher. 

Algorithm 3.1. Let A be a non-empty alphabet, k be a natural number, 
Ui,Vi € j4, i € {1,...,A:}. Define a quasigroup (A,-). It is clear that the 
quasigroup {A, \) is defined in a unique way. Take a fixed element I (I G A), 
which is called a leader. 



Let uiU2---Uk be a k-tuple of letters from A. The authors propose the 
following ciphering procedure vi = 1 -ui^Vi = Vi-i -ui, i = 2, ..., k. Therefore 
we obtain the following cipher-text i'ii'2 ■ ■ -Vk- 

The enciphering algorithm is constructed in the following way: ui = 
l\vi,Ui = Vi.i\vi,i = 2,...,k. 

The authors claim that this cipher is resistant to the brute force attack 
(exhaustive search) and to the statistical attack (in many languages some 
letters meet more frequently, than other ones). 

Example 3.1. Let alphabet A consists from the letters a,b,c. Take the 
quasigroup (A,-): 
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Then (A, \) has the following Cayley table 
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Let / = a and open text is u = bbcaacba. Then the cipher text is u = 
cbbcaaca. Applying the decoding function on v we get bbcaacba = u. 

Probably the cipher which is described here (Algorithm I3.ip and its 
generalizations are now the most known and the most used quasigroup based 
stream-ciphers. 

Authors [lOOj say that this cipher is resistant to the brute force attack 
and to the statistical one. 

Cryptanalyses of Algorithm 13.11 was made by M. Vojvoda |122j . He 
showed that this cipher is not resistant relatively to chosen ciphertext attack, 
chosen plaintext attack and ciphertext-only attack. 

We give the following 3-ary modification of Algorithm 13.11 |101| . The 
possibility of such modification of Algorithm 13.11 was observed in jlllj . 

Algorithm 3.2. Let A be a non-empty alphabet, k be a natural number, 
Ui,Vi G A, i ^ {l,...,k}. Define a 3-ary quasigroup {A, (3). It is clear 
that this quasigroup defines (4! — 1) parastrophes including (14)-, (24)- and 
(34) -parastrophe. 



Take the fixed elements h,l2,l3,h (h S A), which are called leaders. 

Let uiU2---Uk be a k-tuple of letters from A. The author proposes 
the following ciphering procedure vi = /3(wi, ^1,^2)1 ^2 = fi{u2-,hi^i)-,Vi = 
(3{ui,Vi-2,Vi-i),i = 3, 4, ..., k — 1. Therefore we obtain the following cipher- 
text ViV2---Vk- 

The enciphering algorithm is constructed in the following way: ui = 
^^^^f3{vi,h,l2),U2 = (^^)/3(^;2,/3,^4),w^ = ^^^^^{v,,Vi.2,v,.i),i = 3,4,...,A: - 
1. 

In |101j also variants of Algorithm 13.21 are given using (24)- and (34)- 
parastrophes of a ternary quasigroup. 

Further development of Algorithm 13.11 is presented in 



Definition 3.1. Let r be a positive integer, let (Q, *) be a quasigroup and 
Oj ,bj & Q. For each fixed m £ Q define first the transformation Qm '■ Q^ — > 
Q' by 

Qm{ao,ai, . . . ,ar--i) = {bo,bi, . . . ,6r-i) <^=^ 

m* oq; i = 

6i„i *ai; 1 <i < {r - 1). 

Then define Jli as composition of transformations of kind Qm, for suitable 
choices of the indexes m, as follows 

IRl(ao,ai, . . . ,ar-l) = QaoiQai ■ ■ ■ {Qar-ii'J'0,0.1, . . . ,ar-i))). 

Definition 3.2. 154^ (Shapeless quasigroup) A quasigroup {Q, *) of order n 
is said to be shapeless if it is non-commutative, non-associative, it does not 
have neither left nor right unit, it does not contain proper subquasigroups, 
and there is no k < 2n for which are satisfied the identities of the kinds: 

X * (x . . . X * {x{x *y)) = y; y = ((y * x) *...)* x) * x (1) 



Remark 3.1. Condition k < 2n for identities ([T]) means that any left and 
right translation of quasigroup (Q, *) should have the order k > (2n + 1). 



In [54] it is proposed to construct shapeless quasigroups using transversal 
approach [58] . Simple quasigroups without subquasigroups and with identity 
automorphism group are studied in [82l [TU [Ml IllOj • 

In the article [53] it is proposed a block cipher based on Algorithm 13.11 
Let {Q, *) be a quasigroup of finite order 2"^. Using the operation * authors 
define the following vector valued Boolean function (v.v.b.f.) a * b = c ^ 



*vv{xi,X2,..-,Xd,yi,y2,---,yd) = {zi,Z2,...,Zd), wheie xi... Xd,yi.. -yd, zi...Zd 
are binary representations of a, b, c respectively. 

Each element Zi depends on the bits xi,X2, ■■■,Xd,yi,y2, ■■■, yd and is 
uniquely determined by them. So, each Zi can be seen as a 2(i-ary Boolean 
function Zi = fi{xi,X2, ...,Xd,yi,y2, ■■■,yd), where fi : {0,1}^'^ -^ {0,1} 
strictly depends on, and is uniquely determined by *. 

Authors state that for every quasigroup {Q, *) of order 2 and for each 
bijection Q -^ {0, l...,2'^ — 1} there are a uniquely determined v.v.b.f. *„„ 
and d uniquely determined 2d-ary Boolean functions /i, /2) •••, /d such that 
for each a,b,c £ Q 

a*b = c^ *„„(xi,...,Xrf,yi,...,2/rf) = 
{fi{xi,...,xd,yi,...,yd),---,fdixi,...,xd,yi,...,yd))- 

Each k-ary Boolean function f{xi,...,Xk) can be represented in a unique 
way by its algebraic normal form (ANF), i.e., as a sum of products 

k k k 

ANF{f) = ao + ^ OiXi + ^ OijXiXj + ^ Oij^sXiXjXs + ..., 

i=l l<i<j<k l<i<j<s<k 

where the coefficients ao, ai,ai,j, ... are in the set {0,1} and the addition 
and multiplication are in the field GF{2). 

The ANFs of the functions fi give information about the complexity of 
the quasigroup (Q, .) via the degrees of the Boolean functions /j. The 
degrees of the polynomials ANF(fi) rise with the order of the quasigroup. 
In general, for a randomly generated quasigroup of order 2 , d > 4, the 
degrees are higher than 2. 

Definition 3.3. A quasigroup {Q, *) of order 2*^ is called Multivariate 
Quadratic Quasigroup (MQQ) of type Quadd-kLin^ if exactly d — k of the 
polynomials fi are of degree 2 (i.e., are quadratic) and k of them are of 
degree 1 (i.e., are linear), where < k < d 153^ . 

Authors prove the following 

Theorem 3.1. Let A\ = [/jj] and A2 = [gij] be two dx d matrices of linear 
Boolean expressions, and let bi = [ui] and 62 = [vi] be two d x 1 vectors of 
linear or quadratic Boolean expressions. Let the functions fij and Ui depend 
only on variables xi, ...,Xd, and let the functions gij and Vi depend only on 
variables Xd+i, ..■,X2d- If Det{Ai) = Det{A2) = 1 in GF(2) and if 

Ai ■ {xd+i,...,X2d)'^ + bi = A2 ■ {xi,...,XdY + b2 



then the vector valued operation *vv{xi, ■■■,X2d) = ^i • {xd+i, ■■■■,X2d)'^ + ^i 
defines a quasigroup {Q, *) of order 2'^ that is MQQ JSc 



The authors researched the existence of MQQ of order 8, 16 and 32. 

Problem 3.1. Finding MQQs of orders 2*^, d > 6 the authors consider as 
an open research problem. 

Authors show that the proposed cipher is resistant relatively to the cho- 
sen plain-text attack, attacks with differential cryptanalysis, XL attack, 
Grobner basis attacks and some other kind of attacks. 

Algebraic cryptanalysis of MQQ public key cryptosystem is given in [U5] : 
"... we present an efficient attack of the multivariate Quadratic Quasigroups 
(MQQ) cryptosystem. Our cryptanalysis breaks MQQ cryptosystems by 
solving systems of multivariate quadratic polynomial equations using a mod- 
ified version of the MutantXL algorithm" . 

In order to make Algorithm 13.11 more complicate and quite fast we pro- 
pose the following 

Procedure 3.1. Let A be a non-empty alphabet, k be a natural number, 
Ui,Vi G A, i G {l,...,k}. Define a system of n n-ary orthogonal operations 
{A,fi), i = 1,2, ... ,n. We propose the following ciphering procedure vi = 
fi{ui,U2, ■ ■ ■ ,Un), i = 1,2, ...,n. Therefore we obtain the following cipher- 
text ViV2---Vn- 

The enciphering algorithm is based on the fact that orthogonal system of 
n n-ary operations 

fl{xi,X2,...,Xn) = ai 
f2{xi,X2,... ,Xn) = 02 

, Jn\Xl, X2, . . . , Xfi) — On 

has a unique solution for any tuple of elements oi, . . . , a„. 

Notice that we can take as a system of orthogonal n-ary operations a set 
of orthogonal n-quasigroups [1171 11181 E] • 

Of course this choice does not make Procedure 13.11 more safe, but it gives 
a possibility to use Algorithm 13.21 and Procedure 13.11 together on the base 
of the same quasigroup system. 

Probably there exists a sense to use in Algorithm 13.21 the irreducible 
3-ary or 4-ary finite quasigroup [Il[2]. 



4 Some applications of quasigroup-based stream ciphers 

In |1U0J (see also [57]) it is proposed to use Algorithm [XT] for secure encoding 
of file system. A survey of security mechanisms in mobile communication 
systems is in |12Uj . 

SMS (Short Message Service) messages are sometimes used for the in- 
terchange of confidential data such as social security number, bank account 
number, password etc. A typing error in selecting a number when sending 
such a message can have severe consequences if the message is readable to 
any receiver. 

Most mobile operators encrypt all mobile communication data, including 
SMS messages. But sometimes, when encrypted, the data is readable for 
the operator. 

Among others these needs give rise for the need to develop additional 
encryption for SMS messages, so that only accredited parties are able to be 
engaged in a communication. In |60] an approach to this problem using Al- 
gorithm [3TT] is described. In [61] differential cryptanalysis of the quasigroup 
cipher is given. Definition of the encryption method is presented. 

In [57] the authors introduce a stream cipher with almost public key, 
based on quasigroups for defining suitable encryption and decryption. They 
consider the security of this method. It is shown that the key (quasigroups) 
can be public and still has sufficient security. A software implementation is 
also given. 

In j81j a public-key cryptosystem, using generalized quasigroup-based 
streamciphers is presented. It is shown that such a cryptosystem allows 
one to transmit securely both a cryptogram and a secret portion of the 
enciphering key using the same insecure channel. The system is illustrated 
by means of a simple, but nontrivial, example. 

5 Neo-fields and left neo-fields 

A left neo-field (A^, +, •) of order n consists of a set N of n symbols on which 
two binary operations "+" and "•" are defined such that (N,+) is a loop, 
with identity element, say 0. (A^\{0},-) is a group and the operation "•" 
distributes from the left over "+". (That is, x ■ {y + z) = x ■ y + x ■ z for all 
x,y,z G N.) If the right distributive law also holds, the structure is called 
a neofield. 

A left neofield (or neofield) whose multiplication group is (G, •) is said 
to be based on that group. Clearly, every left neofield based on an abelian 
group is a neofield. Also, a neofield whose operation of addition satisfies the 
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associative law is a field. 

In |28^ [27] some cryptological applications of neo- fields and left neo- fields 
are described. 

6 On one-way function 

A function F : X ^ Y is called one-way function, if the following conditions 
are fulfilled: 



• 



• 



there exists a polynomial algorithm of calculation of F{x) for any 

X e X] 

there does not exist a polynomial algorithm of inverting of the function 
F, i.e. there does not exist any polynomial time algorithm for solving 
the equation F{x) = y relatively variable x. 

It is proved that the problem of existence of one-way function is equiva- 
lent to well known problem of coincidence of classes P and NP. 

One of better candidates to be an one-way function is so-called function 
of discrete logarithms [83] . 

A neofield (A^, +, •) of order n consists of a set A^ of n symbols on which 
two binary operations "+" and "•" are defined such that (A^, +) is a loop 
with identity element, say 0, (A^\{0},-) is a group and the operation "•" 
distributes from the left and right over "+" [28]. 

Let (A^, +,•) be a finite Galois field or a cyclic ((A^\{0}, •) is a cyclic 
group) neofield. Then each non-zero element u of the additive group or loop 
(A^, +) can be represented in the form u = a'^ , where a is a generator of the 
multiplication group (A'\{0}, •). z^ is called the discrete logarithm of u with 
base a, or, sometimes, the exponent or index of u. 

Given i/ and a, it is easy to compute u in a finite field, but, if the order of 
the finite field is a sufficiently large prime p and also is appropriately chosen 
it is believed to be difficult to compute z^ when u (as a residue modulo p) 
and a are given. 

In [28] discrete logarithms are studied over a cyclic neofield whose addi- 
tion is a CI- loop. 

In |83j the discrete logarithm problem for the group RLn of all row- 
Latin squares of order n is defined (p. 103) and, on pages 138 and 139, some 
illustrations of applications to cryptography are given. 
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7 On hash function 

In |46t US] an approach for construction of hash function using quasigroups 
is described. 

Definition 7.1. A function H{) that maps an arbitrary length message M 
to a fixed length hash value H{M) is a OneWay Hash Function (OWHF), 
if it satisfies the following properties: 

1. The description of HQ is publicly known and should not require any 
secret information for its operation. 

2. Given M, it is easy to compute H{M). 

3. Given H{M) in the rang of H{), it is hard to find a message M for 
given H{M), and given M and H{M), it is hard to find a message Mq{^ M) 
such that H{Mo) = H{M). 

Definition 7.2. A OneWay Hash Function H{) is called Gollision Free 
Hash Function (GFHF), if it is hard to find two distinct messages M and 
Mq that hash to the same result {H{M) = if (Mo))^^ \4^. 

We give construction of hashing function based on quasigroup [H] . 

Definition 7.3. Let Hq{) : Q — > Q be projection defined as 

HQ{qiq2 . ..qn) = {{■■■ (a* qi)*q2*-- ■)*qn (2) 

Then HqO is said to be hash function over quasigroup (Q;*). The element 
a is a fixed element from Q . 

Example 7.1. Multiphcation in the quasigroup (Q,*) is defined in the 
following manner: a-kb = {a — h) (mod 4). This quasigroup has the following 
multiplication table: 



• 
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3 
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1 
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1 
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3 


2 


1 






Value of hash function is i:f2(0013) = (((2 • 0) * 0) * 1) • 3 = 2. 

Remark 7.1. There exists a possibility to apply n-ary quasigroup approach 
to study hash functions of such kind. Since, in fact, equality ([2]) defines an 
n-ary operation. 

Remark 7.2. We notice, safe hash function must have at least 128-bit 
image, i.e. HQ{qiq2 . . . q-n) must consist of at least 128-digit number [96]. 

12 



In |12H I122| hash functions, proposed in [l6l US]) ^-re discussed. The 
author shows that for some types of quasigroups these hash functions are 
not secure. 

From [86] we give the fohowing summary: "In this paper we consider 
two quasigroup transformations QMl: A?"^ — > A?"^ and QM2: A^ -^ A^'", 
where A is the carrier of a quasigroup. Based on these transformations we 
show that different kinds of hash functions can be designed with suitable 
security." 

Further development of quasigroup based on hash function is reflected 
in pl6] . 

In |105j on Algorithm 13.11 based on encrypter that has good scrambling 
properties is proposed. 

8 Cl-quasigroups and cryptology 



In [281 ES] some applications of Cl-quasigroups in cryptology with non-sym- 
metric key are described. 

Definition 8.1. Suppose that there exists a permutation J of the elements 
of a quasigroup (Q, o) such that, for all x,y G Q 

J''{xoy) o J^x = J^y, 

where r,s,t are integers. Then {Q,o) is called an {r,s,t)-inverse quasigroup 



In the special case when r = i = 0,s = l, we have a definition of 
Cl-quasigroup. 

Example 8.1. A Cl-quasigroup can be used to provide a one-time pad for 
key exchange (without the intervention of a key distributing centre) [28l EH] ■ 
The sender S, using a physical random number generator (see [78] on ran- 
dom number generator based on quasigroups), selects an arbitrary element 
c*-"^ of the Cl-quasigroup (Q, o) and sends both c^"^ and enciphered key (mes- 
sage) c^^'om. The receiver R uses this knowledge of the algorithm for obtain- 
ing Jc'"' = c'"^^^ from c^"^ and hence he computes (c^"^ o m) o c^""*"^^ = m. 

Example 8.2. We can propose the following application of rst-inverse quasi- 
groups in situation similar to situation described in Example 18.11 It is pos- 
sible to re-write definitive equality of rst-inverse quasigroup in the following 
manner J^{J^u o m) o J'^^^u = J^m. 

Then the schema of the previous example can be re-written in the fol- 
lowing manner. The sender S selects an arbitrary element J u of the 
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rst-quasigroup {Q, o) and sends both J u and enciphered key (message) 
J''{J^uom). The receiver R uses this knowledge of the algorithm for obtain- 
ing J^^{u) from J (u) and hence he computes J^{J uom) o J^^'^u = J^m 
and after this he computes the message m. Of course this example can be 
modified. 

Example 8.3. [28j. Take a Cl-quasigroup with a long inverse cycle 
{cd c" ... c*~^) of length t. Suppose that all the users Ui {i = 1,2,...) 
are provided with apparatus (for example, a chip card) which will compute 
aob for any given a,b £ Q. We assume that only the key distributing centre 
has a knowledge of the long inverse cycle which serves as a look-up table for 
keys. 

Each user Ui has a public key Ui G Q and a private key Jui, both supplied 
in advance by the key distributing centre. User Us wishes to send a message 
m to user Ut. He uses [/j's public key ut to compute ut o m and sends that 
to Uf. Ut computes {ut o m) o Jut = m. 

Remark 8.1. It is not very difficult to understand that opponent which 
knows the permutation J may decipher a message encrypted by this method. 

Remark 8.2. There exists a possibility to generalize Example 18.31 using 
some TTi-inverse quasigroups [7l], or (r, s, t)-inverse quasigroups [72l[73], else 
(Q,/3,7)-inverse quasigroups ^^. 

9 Critical sets and secret sharing systems 

Definition 9.1. A critical set C in a Latin square L of order n is a set 
C = {{i'lj', k) I i, j, /c G {1, 2, . . . , ?i}} with the following two properties: 

(1) L is the only Latin square of order n which has symbols k in cell 
{i,j) for each {i;j;k) £ C; 

(2) no proper subset of C has property (1) jiSSf . 



A critical set is called minimal if it is a critical set of smallest possible 
cardinality for L. In other words a critical set is a partial Latin square which 
is uniquely completable to a Latin square of order n. 

If the scheme has k participants, a (t, A;)-secret sharing scheme is a system 
where k pieces of information called shares or shadows of a secret key K are 
distributed so that each participant has a share such that 

(1) the key K can be reconstructed from knowledge of any t or more 
shares; 

(2) the key K cannot be reconstructed from knowledge of fewer than t 
shares. 
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Such systems were first studied in 1979. Simmons |115j surveyed various 
secret sharing schemes. Secret sharing schemes based on critical sets in 
Latin squares are studied in [T7]. We note, critical sets of Latin squares give 
rise to the possibilities to construct secret-sharing systems. 

Critical sets of Latin squares were studied in sufficiently big number of 
articles. We survey results from some of these articles. In [3l] the spectrum 
of critical sets in Latin squares of order 2^ is studied. The paper [SOj gives 
constructive proofs that critical sets exist for all sizes between [n^/4] and 
[(n^ — n)/2], with the exception of size n^/4 + 1 for even values of n. 

For Latin squares of order n, the size of a smallest critical set is denoted 
by scs(n) in |15j . The main result of [15] is that scs(n) > n[2(logn)"^'^J for 
all positive integers n. 

In [63] the authors show that any critical set in a Latin square of order 
n>7 must have at least [ ^~^J^~ — J empty cells. See, also, [62] . 



2 

The paper [33] contains lists of (a) theorems on the possible sizes of 
critical sets in Latin squares of order less than 11, (b) publications, where 
these theorems are proved, (c) concrete examples of such type of critical 
sets. In [36] an algorithm for writing any Latin interchange as a sum of 
intercalates is corrected. 

In [59] the author proposes a greedy algorithm to find critical sets in 
Latin squares. He applies this algorithm to Latin squares which are abelian 
2-groups to find new critical sets in these Latin squares. The critical sets 
have the nice property that they all intersect some 2x2 Latin subsquare in 
a unique element so that it is easy to show the criticality. 

In [1] the author gives an example of a critical set of size 121 in the 
elementary abelian 2-group of order 16. 

In [9l] critical sets of symmetric Latin squares are studied. Therefore the 
authors require all elements in their critical sets and uniquely completable 
partial Latin squares to lie on or above the main diagonal. For n > 2, a 
general procedure is given for writing down a uniquely completable partial 
symmetric 2n x 2n Latin square Lg^ containing n^ — n + 2 entries, of which 
2n — 2 are identical and lie on the main diagonal. 

Paper |32] presents a solution to the interesting combinatorial problem 
of finding a minimal number of elements in a given Latin square of odd order 
n by which one may restore the initial form of this square. In particular, 
it is proved that in every cyclic Latin square of odd order n the minimal 
number of elements equals to n{n — l)/2. 

Surveys on critical sets of Latin squares are given in [67] [69]. See, also, 

m- 
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The concept of Latin trades is closely connected with the concept of 
critical set in Latin squares. Let T be a partial Latin square and L be a 
Latin square with T C L. We say that T is a Latin trade if there exists a 
partial Latin square T' with T' r\T = ^ such that (L \ T) U T' is a Latin 
square. Information on Latin trades is in J16j . 

Remark 9.1. See also Introduction for other application of critical sets of 
Latin squares in cryptology. 

"For a given triple of permutations T = (a, /3, 7) the set of all Latin 
squares L such that T is its autotopy is denoted by LS{T). The cardinality 
of LS(T) is denoted by A(T). Specifically, the computation of A(r) for 
any triple T is at the moment an open problem having relevance in secret 
sharing schemes related to Latin squares" |49^ [50] . 

10 Secret sharing systems and other algebraic systems 



Some secret-sharing systems are pointed in |26j . One of such systems is the 
Reed-Solomon code over a Galois field GF[q] with generating matrix C{aij) 
of size kx{q — l),k<q — 1. The determinant formed by any k columns of 
G is a non-zero element of GF[q]. The Hamming distance d of this code is 
maximal {d = q — k) and any k from q — 1 keys unlock the secret. 

In [9] an approach to some Reed-Solomon codes as a some kind of or- 
thogonal systems of n-ary operations is developed. 

In |10] general approach to construction of secret sharing systems using 
some kinds of orthogonal systems of n-ary operations is given. Transforma- 
tions of orthogonal systems of n-ary operations are studied in [TT] . 

We give the summary from [52] : "We investigate subsets of critical sets 
of some Youden squares in the context of secret-sharing schemes. A subset 
C of a Youden square is called a critical set if C can be uniquely completed 
to a Youden square but no proper subset of C has a unique completion to a 
Youden square." 

"That part of a Youden square Y which is inaccessible to subsets of a 
critical set C of Y, called the strongbox of C, may be thought to contain 
secret information. We study the size of the secret. J. R. Seberry and A. P. 
Street [108] have shown how strongboxes may be used in hierarchical and 
compartmentalized secret-sharing schemes." 

11 Row-Latin squares based cryptosystems 

A possible application in cryptology of Latin power sets is proposed in [29] . 
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In [23] an encrypting device is described, based on row-Latin squares 
with maximal period equal to the Mangoldt function. 

In our opinion big perspectives has an application of row-Latin squares 
in various branches of contemporary cryptology (" neo-cryptology" ) . 

In [S3 it is proposed to use: 1) row-Latin squares to generate an open 
key; 2) a conventional system for transmission of a message that is the form 
of a Latin square; 3) row-Latin square analogue of the RSA system; 4) 
procedure of digital signature based on row-Latin squares. 



Example 11.1. Let 



L 



Then 



L^ 



L^ 



Then 



L^i 



2 3 4 1 
4 13 2 

3 2 4 1 

4 3 12 

4 12 3 

4 12 3 

3 2 4 1 

3 4 2 1 

4 12 3 
12 3 4 
12 3 4 

3 4 2 1 

2 3 4 1 

12 3 4 

12 3 4 

4 3 12 



is a common key for a user A with the key LP' and a user B with the key L^ . 

A public-key cryptosystem, using generalized quasigroup-based stream- 
ciphers, as it has been noticed earlier, is presented in [HT] . 



12 NLPN sequences over GF[q] 

Non-binary pseudo-random sequences over GF[q] of length q"^ — 1 called PN 
sequences have been known for a long time j57j . PN sequences over a finite 
field GF[q] are unsuitable directly for cryptology because of their strong 
linear structure [78]. Usually PN sequences are defined over a finite field 
and often an irreducible polynomial for their generation is used. 
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In article |78j definition of PN sequence was generalized with the purpose 
to use these sequences in cryptology. 

We notice, in some sense ciphering is making a "pseudo-random se- 
quence" from a plaintext, and cryptanalysis is a science how to reduce a 
check of all possible variants (cases) by deciphering of some ciphertext. 

These new sequences were called NLPN-sequences (non-linear pseudo- 
noise sequences). C. Koscielny proposed the following method for construc- 
tion of NLPN-sequences. 

Let a be a PN sequence of length g"* — 1 over GF[q], q > 2, i.e. 

a = CLqCLi ■ ■ ■ (lq-m_2. 

Let a * be its cyclic i places shifted to the right. For example 



-^^ 



ai . . . agm„20o- 



Let Q = (S'Q, •) be a quasigroup of order q defined on the set of elements of 
the field GF[q]. 

Then h = a ■ a\c = a'' ■ a , where hj = Uj ■ a*-, Cj = a^, ■ aj for any 
suitable value of index j (j € {1, 2, . . . , g*" — 1}) are called NLPN sequences 



NLPN sequences have much more randomness than PN sequences. As 
notice C. Koscielny the method of construction of NLPN sequences is espe- 
cially convenient for fast software encryption. It is proposed to use NLPN 
sequences by generation of keys. See also [76] . 

13 Authentication of a message 

By authentication of message we mean that it is made possible for a receiver 
of a message to verify that the message has not been modified in transit, so 
that it is not possible for an interceptor to substitute a false message for a 
legitimate one. 

By identification of a message we mean that it is made possible for the 
receiver of a message to ascertain its origin, so that it is not possible for an 
intruder to masquerade as someone else. 

By non-repudiation we mean that a sender should not be able later to 
deny falsely that he had sent a message. 

In [28] some quasigroup approaches to problems of identification of a 
message, problem of non-repudiation of a message, production of dynamic 
password and to digital fingerprinting are discussed. See also [18] . 
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In [27] authors suggested a new authentication scheme based on quasi- 
groups (Latin squares) . See also [261 ESI 120] 

In jl04| several cryptosystems based on quasigroups upon various com- 
binatorial objects such as orthogonal Latin squares and frequency squares, 
block designs, and room squares are considered. 

Definition 13.1. Let 2 <t < k < v. A generalized S{t, k, v) Steiner system 
is a finite block design (T, 23) such that (1) \T\ = v; (2) S = 23' U 23", where 
any B' € 23', called a maximal block, has k points and 2 < \B"\ < k for any 
B" G S", called a small block; (3) for any B" G S" there exists a B' e "B' 
such that B" C B' ; (4) every subset of T with t elements not belonging to 
the same B" G 23" is contained in exactly one maximal block. 

In [89] (see also [IE]) an application of generalized S{t,k,v) Steiner sys- 
tems in cryptology is proposed, namely, it is introduced a new authentication 
scheme based on the generalized Steiner systems, and the properties of such 
scheme are studied in the generalized affine planes. 

14 Zero knowledge protocol 

In |103| Rivest introduced All-Or-Nothing (AON) encryption mode in order 
to devise means to make brute- force search more difficult, by appropriately 
pre-processing a message before encrypting it. The method is general, but it 
was initially discussed for block-cipher encryption, using fixed-length blocks. 

It is an unkeyed transformation, mapping a sequence of input blocks 
(xi, X2, . . . , Xs) to a sequence of output blocks {yi,y2, ■ ■ ■ iVt) having the 
following properties: 

Having all blocks {yi,y2, ■ ■ ■ ,yt) it is easy to compute (xi, X2, . . . , Xg)- 

If any output block yj is missing, then it is computationally infeasible 
to obtain any information about any input block xj. 

The main idea is to preserve a small-length key (e.g. 64-bit) for the main 
encryption that can be handled by special hardware with not enough pro- 
cessing power or memory. This gives the method a strong advantage, since 
we can have strong encryption for devices that have minimum performance. 

Several transformation methods have been proposed in the literature for 
AON. In the article |88) it is proposed a special transform which is based on 
the use of a quasigroup (it is used in algorithm 13. ip . 

In [24] it is proposed to use isotopy of quasigroups in zero knowledge 
protocol. 

Assume the users {ui,U2, •••, 'Ufc) form a network. The user Ui has public- 
key Lui , L^. (denotes two isotopic Latin squares of order n) and secret-key 
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lui (denotes the isotopism of L^. upon L^.). The user Uj wants to prove 
identity for Uj but he doesn't want to reveal the secret-key (zero-knowledge 
proof) . 

1. Ui randomly permutes L„. to produce another Latin square H. 

2. Ui sends H to Uj. 

3. Uj asks Ui either to: 

a. prove that H and L^^ are isotopic, 

b. prove that H and L„. are isotopic. 

4. Ui complies. He either 

a. proves that H and L„, are isotopic, 

b. proves that H and Lui are isotopic. 

5. Ui and Uj repeat steps 1. through 4. n times. 



Remark 14.1. In the last procedure it is possible to use isotopy of n-ary 
groupoids. 

15 Hamming distance between quasigroups 

The following question is very important by construction of quasigroup based 
cryptosystems: how big is the distance between different binary or n-ary 
quasigroups? Information on Hamming distance between quasigroup oper- 
ation is in the articles EH iH [391 [Ml iQl iSl ttH] • 

We recall, if a and /3 are two n-ary operations on a finite set il., then the 
Hamming distance of a and /3 is defined by 

dist(a,/3) = |{(ni,...,n„) G H"- : a{ui,...,Un) / /3(ni, . . . ,n„)}|. 



The author in |3T] discusses Hamming distances of algebraic objects with 
binary operations. He also explains how the distance set of two quasigroups 
yields a 2-complex, and points out a connection with dissections of equilat- 
eral triangles. 

For a fixed group {G, o), 6{G, o) is defined to be the minimum of all such 
distances for (G,*) not equal to (G, o) and i^(G, o) the minimum for (G, *) 
not isomorphic to (G, o). 

In [38] it is proved that 6{G, o) is 6n — 18 if n is odd, 6n — 20 if (G, o) 
is dihedral of twice odd order and 6n — 24 otherwise for any group (G, o) of 
order greater than 50. In |119j it is shown that 6{G, o) = Qp — 18 for n = p, 
a prime, and p > 7. 
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In the article |39j there are hsted a number of group orders for which 
the distance is less than the value suggested by the above theorems. New 
results obtained in this direction are in 



16 Generation of quasigroups for cryptographical needs 

Important cryptographical problem is a generation of "big" quasigroups 
which it is possible to keep easily in a compact form in computer memory. 
It is clear that for this aims the most suitable is a way to keep a little base 
and some procedures of obtaining a necessary element. 

Therefore we should have easily generated objects (cyclic group, abelian 
group, group), fast and complicate methods of their transformation (paras- 
trophy, isotopy, isostrophy, crossed isotopy [109] , homotopy, generalized iso- 
topy), their glue and blowing (direct product, semi-direct product, wreath 
product [66], crossed product, generalized crossed product). For these aims 
various linear quasigroups (especially n-ary quasigrous) are quite suitable 

[TIESllm]. 

In |99] the boolean function is proposed to use by construction of n-ary 
and binary quasigroups. 

A method of generating a practically unlimited number of quasigroups of 
an arbitrary (theoretically) order using the computer algebra system Maple 
7 is presented in [79] . 

This problem is crucial to cryptography and its solution permits to im- 
plement practical quasigroup-based endomorphic cryptosystems. 

In this article |79] it is proposed to use isotopy of quasigroups and di- 
rect products of quasigroups. If we start from class of finite groups, then, 
using these ways, it is possible to obtain only class of quasigroups that are 
isotopic to groups. We notice, there exists many quasigroups (especially of 
large order) that are not isotopic to a group. Therefore for construction 
of quasigroups that are not isotopic to groups probably better to use the 
concept of gisotopy [98l I113J . 

17 Conclusion remarks 

In many cases in cryptography it is possible to change associative systems 
by non-associative ones and practically in any case this change gives in 
some sense better results than use of associative systems. Quasigroups in 
spite of their simplicity, have various applications in cryptology. Many new 
cryptographical algorithms can be formed on the basis of quasigroups. 
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